UK/EU Privacy Notice


This privacy notice covers Keri Systems UK.  We describe here the data we collect from you when you engage with us.

These are our reasons for collecting it, what we do with it and what your rights are.

Who are we?

We are Keri Systems UK Ltd., our registered office is 4 Grenville Avenue, Broxbourne, Hertfordshire, EN10 7DH, company registration number  03842772.

Our office address is 1-3 The Paddocks, Frettenham Road, Horstead, Norwich, NR12 7LB.

If you have any questions regarding this notice or our processing of your personal data then you can write to us at the above office address, or call us on +44 (0) 1763 273 243 or email us at

We are registered with the Information Commissioner’s Office (ICO – the UK’s regulator for personal data processing matters), registration number ZB335913.

Purpose of processing

We process your personal data for a variety of purposes as set out in the table below for which we are the Controller.

Where we are providing our Borealis system to our clients in the UK or Europe we act as a Processor on their behalf, please see the Borealis section of this notice for more information.

Purpose Lawful Basis under UK GDPR
Managing your enquiries Our legitimate interests in responding to and managing your enquiry
Managing our commercial relationship with you as a contact employed by one of our clients Our legitimate interests in managing our commercial relationships and any associated contracts between our respective organisations
Managing our commercial relationship with you as a contact employed by one of our suppliers

Our legitimate interests in managing our commercial relationships and any associated contracts between our respective organisations


Direct marketing Our legitimate interests in ensuring we appropriately manage, deliver or suppress direct marketing activity
Recruitment enquiries Taking the steps necessary to enter into a contract with you.  We will provide further privacy information to you as the recruitment process progresses.


Where we are relying on our legitimate interests you are free to object to that at any time.  In the case of direct marketing activity we will ensure that we cease to market our services to you should you object to our legitimate interests.

Where we are relying on your consent you are free to change your mind and withdraw your consent at any time.

Data we collect

The table below gives information on the categories of personal data we process for each of the purposes shown above.

Purpose Categories of Data Processed
Managing your enquiries Name, contact details, contact history and message content
Managing our commercial relationship with you as a contact employed by one of our clients Name, contact details, organisation & role, contact history
Managing our commercial relationship with you as a contact employed by one of our suppliers

Name, contact details, organisation & role, contact details.



Direct marketing Name, contact details, marketing preferences
Recruitment enquiries Name, contact details, employment history, salary and benefit requirements, details of roles applied for


Special category data

There are additional rules we must follow if we collect certain types of more sensitive data, known as Special Category Data.  These include details of your ethnicity, beliefs, health and sexuality and in each case we must let you know what our additional lawful basis is for processing such data.

We do not routinely process any such special category data, however we may occasionally do so (for example when we manage an event you are attending we may ask for any dietary or access requirements which could include data relating to belief or health) and will always ensure we have a lawful basis (normally by asking for your explicit consent) and only retain the information for a very limited period of time.

How long do we keep your data for?

Where we are relying on our legitimate interests to process your data then we will keep your personal data until you object to our legitimate interests and we agree with your objection, or until the following default periods have elapsed after our last contact with you.

We will retain your personal data by default for the following periods:

Purpose Maximum Retention Period
Managing your enquiries 7 years
Managing our commercial relationship with you as a contact employed by one of our clients 7 years
Managing our commercial relationship with you as a contact employed by one of our suppliers 7 years
Direct marketing 7 years
Recruitment enquiries 1 year


Do we ever share personal data?

We will share your data if we receive a legitimate request from a law enforcement agency.

When you submit your personal data online your data is shared with our partners who manage our website.

If we are communicating with you via email or social media channels we will be sharing your personal data with those email and social media providers.

We also utilise external suppliers to provide a number of business support services. We always ensure that we have appropriate contracts in place to protect your rights when personal data are processed on our behalf by these third parties.

How do we keep your data secure?

We take sensible steps to keep your data secure and ensure we can uphold your rights and meet our obligations under UK GDPR:

  • All data sent between your browser and our website are encrypted in transit,
  • Access to personal data is role based: only those members of staff with a legitimate need will have access,
  • Systems are password protected and multi-factor authentication is enabled where available,
  • We ensure that appropriate contracts are in place with our suppliers who process your personal data to protect your rights, to ensure that they take appropriate security measures to safeguard your data, and that any international transfers are done correctly under UK GDPR,
  • Our employees are all subject to an obligation of confidentiality, and receive training on data protection matters,
  • We utilise appropriate technical and organisational measures to optimise the security of your personal data.


Your Rights

You have a number of rights relating to the processing of your data, if you would like to use them or have any questions then please contact us.

We won’t charge you for doing any of the following, however we may make a charge in the case of frequent repeat or unfounded requests:

  • Awareness: You have the right to be fully informed about why and how we process your information.  This privacy notice is intended to meet that requirement, but please do contact us if you have any questions.  If we obtain your personal data from a third party (e.g. a social media platform or recruitment platform) then we will tell you where we have obtained your information from,
  • Access: You have the right to a copy of the data we hold about you,
  • Rectification: If you think some of the data we hold is wrong then you have the right to ask us to correct it,
  • Erasure: You have the right to ask us to delete the data we hold about you.  Where we are holding the data to fulfil a contract with you or your organisation then we will need to retain the data in accordance with the data retention requirements shown above,
  • Restriction: You have the right to ask us to restrict the processing of personal data whilst we check its accuracy, if you think the processing is unlawful, if you believe we no longer need to process the data but you need us to store it due to pending legal claims, or when you object to our processing based upon our legitimate interests and we are assessing the validity of that,
  • Object: Where we are processing your personal data based upon our legitimate interests you have the right to object to that.  If your objection is valid (for instance in the case of any direct marketing activity) then we will stop processing your personal data for that purpose,
  • Data portability: You can request a copy of your data in a digital format which you can then supply to another provider when we ae processing your personal data under the lawful basis of performing a contract with you or because we have your consent,
  • Automated decisions and profiling: You have the right, in certain circumstances, not to be subject to decisions based on automated processing (including profiling) if it has a significant or legal impact on you.  This doesn’t apply if the processing is necessary to fulfil a contract with you, or if you have given us your consent to do so.  We do not currently use any technology to make automated decisions about you.

Where do we process data?

We primarily process data in the UK however we use partners to help us deliver our services, some of these services will mean that your personal data are transferred outside of the UK.

Our primary partner is our US based parent company, Keri Systems Inc, and we have appropriate International Data Transfer Agreements in place to correctly facilitate any transfers.

We may share your personal data with professional advisors from time to time, such as our accountants or legal advisors.  We will always ensure that appropriate protections to your rights and freedoms are in place.


Borealis is our cloud based access control system.  Keri Systems UK is the provider of the Borealis system to our clients in the UK and Europe:  our clients are the Controllers for this processing and Keri Systems UK act as their Processor.

This section provides some useful information about the processing of personal data by Borealis, however if you are an individual seeking to invoke your rights under GDPR/UK GDPR then you should contact the Controller for this processing directly.

Subject Matter of Processing

Provision of the Borealis cloud based access control system, including hosting of all associated data, to enable our client, the Controller, to manage site security and access records.

Duration of the Processing

Until such time as the contract with our client for the provision of service ends.

Type of Personal Data

User account credentials and administrator permissions, classification of user (Owner, Operator User, Systems Operators), unique identifier of access control fobs and name of associated individual, site access records, customer created custom fields

User credentials for the Controller’s staff

Special Categories of Personal Data

No special categories of personal data are processed by default, however our client has the ability to create custom fields.

International Transfers

The transfers of data to and from the Processor, Keri Systems UK,  are enabled by the UK deemed to be an adequate nation for data protection by the EU

Technical and Organisational Measures

We implement the following appropriate measures by default to preserve the security of the data collected:

  • No copies of data are to be held by us without the Controller’s permission
  • Any such copies data will be held in secure, password protected IT systems
  • Multi factor authentication shall be enabled on any systems where it is available
  • We ensure that our IT systems use modern software that is kept up-to-date
  • When personal data is deleted this will be done safely such that the data is irrecoverable
  • Appropriate back-up and disaster recovery solutions are in place
  • All data will be encrypted in transit
  • All UK/EU customers are contracted to Keri Systems UK and an additional Data Processing Addendum applies to that processing to comply with GDPR/UK GDPR.


List of Sub-Processors used by us to deliver the Borealis service

Name of Sub-Processor Address Nature of processing activity
Keri Systems Inc

302 Enzo Dr Suite 190, San Jose, California 95138, USA.


International transfer facilitated by International Data Transfer Agreement in place with Sub-Processor

Provision and hosting of Borealis system


Making a complaint

Please contact us at the above address.  You can also contact the Information Commissioner’s Office (ICO) on their helpline 0303 123 1113 or online at  If you should contact the ICO they will normally ask you to contact us first.

If you have a complaint regarding the processing of your personal data by the Borealis system then please direct your complaint to the Controller in the first instance rather than Keri Systems UK.